CVE-2025-43743
📋 TL;DR
This vulnerability in Liferay Portal and DXP allows any authenticated user to enumerate other users' names by viewing their calendars. This information disclosure could enable targeted phishing attacks against those users. Affected versions include Liferay Portal 7.4.0-7.4.3.132 and multiple DXP versions from 2024.Q1 through 2025.Q1.
💻 Affected Systems
- Liferay Portal
- Liferay DXP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could harvest all user names from the system and launch sophisticated targeted phishing campaigns, potentially leading to credential theft or further system compromise.
Likely Case
Authenticated attackers gather limited user information for targeted phishing attempts against specific individuals or departments.
If Mitigated
With proper access controls and user awareness training, impact is limited to information disclosure without escalation to system compromise.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. The vulnerability allows enumeration through calendar viewing functionality.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply the latest security fix pack for your version. For Portal: 7.4.3.133 or later. For DXP: apply the latest fix pack for your specific version.
Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43743
Restart Required: No
Instructions:
1. Download the appropriate fix pack from Liferay's customer portal. 2. Apply the fix pack following Liferay's deployment procedures. 3. Verify the fix by testing calendar access controls.
🔧 Temporary Workarounds
Restrict Calendar Permissions
allTemporarily restrict calendar viewing permissions to prevent user enumeration.
Navigate to Control Panel > Users and Organizations > Roles > Define Permissions > Calendar > View and restrict to specific roles
🧯 If You Can't Patch
- Implement strict access controls and monitor for unusual calendar access patterns
- Enhance user awareness training about phishing risks and implement email security controls
🔍 How to Verify
Check if Vulnerable:
Test with two authenticated accounts: attempt to view another user's calendar through the interface or API calls to see if user names are exposed.Check Version:
Check Liferay version via Control Panel > Server Administration > Properties > liferay.versionVerify Fix Applied:
After patching, repeat the test to confirm authenticated users can no longer enumerate other users through calendar functionality.📡 Detection & Monitoring
Log Indicators:
- Multiple calendar view requests from single user to different user IDs
- Unusual pattern of calendar API calls
Network Indicators:
- Repeated requests to calendar endpoints with different user parameters
SIEM Query:
source="liferay" AND (uri_path="/api/jsonws/calendar*" OR uri_path="/web/guest/calendar*") AND user_agent!="bot" | stats count by src_ip, user_id